TheAspens
commented
6 years ago How are you planning to implement this?
Open davidpanderson opened 6 years ago
TheAspens
commented
6 years ago How are you planning to implement this?
davidpanderson
commented
6 years ago Possibly a file containing a list of domains from which RPCs are accepted
ChristianBeer
commented
6 years ago Since you can't use the HTTP request header you need to use the originating IP address. So official Account Managers need to provide the IPs from which they operate and this list needs to be downloaded by projects that want to secure their RPCs.
Using an automated download means this needs to be secured against malicious attacks. The pure list would also allow projects to restrict access to those RPCs via other means (e.g. via htaccess or nginx rules).
Another more complicated way would be that AMs need to register with each project and they get an access token that they need to use when using the RPCs. This puts too much burden on the AM and project operators because the AM needs to contact every project for this token.
TheAspens
commented
6 years ago Another way would be if the account managers were to create a private key and then publish their public key. They could then sign the message and send the hash along with the message. The projects then verify the signature.
The public keys could either be distributed by BOINC or there could be a list of "official" account managers and a script on the project server could run every X hours and fetch the latest keys from each account manager.
http://php.net/manual/en/function.openssl-sign.php and http://php.net/manual/en/function.openssl-verify.php could be used for this.
This is a bit larger effort than originally seen, but it would have the advantage of being much harder to work around and it won't be dependent on BOINC infrastructure.
Projects export a set of RPCs for creating and modifying accounts. These are intended for use by account managers.
But as it stands now they can also be used by spammer scripts, and have been used to create thousands of fake accounts. Unlike web registration, Recaptcha is not available.
So I propose allowing RPCs only from vetted account managers. Initially we could do this based on info in the HTTP request header. This can be faked, so if we see continued spamming we could add a stronger mechanism.